Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Just keep in mind Flash is a target due to its ubiquity. The same applies to (desktop) Windows, IE and Android.
That's not to say these products are without flaw. After all, they're software - of course they have flaws. It's just there's far more people looking for these flaws than in, say, OSX.

The real bitch and a half is because everybody in the press (including many here sadly) were busy kissing Steve Jobs' ass we have NO alternative, none at all.

HTML V5 is a proprietary as hell clusterfuck, which of course was the point as Jobs didn't want anything like Flash games competing with his crappstore (and he was damned smart for doing that, as games make more money than anything else by something like 8 to 1) with H.26x being a boat anchor performance wise compared to Flash. Seriously try out any video in Flash+ VP6 and compare it to HTML V5 H.26x and disable hardware acceleration (which is a bandaid designed to cover up how big a pig H.26x is) and look at the numbers yourself. I can tell you that I can run SD DVD quality video all day long on a 2003 Sempron or 2011 middle of the road smartphone in flash but H.26x? Anything less than a Pentium D or a dual core smartphone its a slideshow. And this isn't even getting into the fact that the shit Jobs feared like games and animation is beyond pathetic in H.26x precisely because Jobs didn't want anything that could compete, why isn't anybody bitching about this?

Is Flash buggy? Sure is, do we have an alternative, something capable of giving us everything Flash did while having better security and performance? NO WE DO NOT and the simple fact that several years after Jobs first pulled that shit we STILL don't have an actual functional replacement should PISS PEOPLE OFF and rightly so! At least with Flash it ran nearly everywhere on everything, that is until St Steve killed the thing by saying "Thou shalt not be on iPad" and what did it get us? A fucking mess, with some sites working on some phones but not others, too God damned many proprietary "apps" to bring you content simply because without flash there isn't any other way to do the things Flash did, its a giant fucking mess...but Apple is making bank which was the whole damned point. Sigh, can we start over and this time NOT let a corp with a giant conflict of interest call the shots, please?

BTW how many of you are planning to split when they force us onto that shitstain that is/. beta? I don't know about you but if I wanting another tweeting twits for shits I'd be on Reddit. The thing is a mess, it looks like shit, hard to follow flow, comments even more broken, obviously designed for pads (which I bet my last buck is less than 3% of the daily readership of this site) it is the windows 8 of the web!

Seriously try out any video in Flash+ VP6 and compare it to HTML V5 H.26x and disable hardware acceleration (which is a bandaid designed to cover up how big a pig H.26x is) and look at the numbers yourself.

So you're essentially saying that turning off hardware acceleration is going to require Core2 specs to play video?

Let's do this: play H.264 on an original iPhone (i.e., youtube app) and tell me why it's performant. That's a seriously slow (400mhz older ARM) processor compared to even a mid-decade Intel part.

How is any of this a good comparison? Your rant is not meaningful whatsoever.

BTW how many of you are planning to split when they force us onto that shitstain that is/. beta? I don't know about you but if I wanting another tweeting twits for shits I'd be on Reddit. The thing is a mess, it looks like shit, hard to follow flow, comments even more broken, obviously designed for pads (which I bet my last buck is less than 3% of the daily readership of this site) it is the windows 8 of the web!

Consider:

The majority of Slashdot's useful content comes from its users, in comments. Thus, t

It's really a shame that Adobe didn't try to create a more open flash platform (the player and spec)... When Adobe bought Macromedia, I'd really hoped that flash would become a package bundle+manifest for SVG + JavaScript/ActionScript and a couple of other files in a zip archive. Flex was a pretty decent toolset, and Flash itself a decent content creation tool for animation, and simple interactive applications and simulations. It's still widely used for training materials, and it takes 3-5x the effort to

Actually IE is the reason flash won't die! That and XP users who can't upgrade to a modern browser. As long as websites cater to them the longer they wont upgrade.

IE 6 lasted for 12 years as a result of this cycle back and forth waiting for the other to upgrade. Corps liked and locked them down and website makers worked for free for +10 years supporting them so why change?

If IE 8 gets below 5% then expect youtube and porn sites to phase out flash.Right now it is the worlds most popular browser thanks to Chi

Right now probably isn't the best time to argue about XP users. Sure, XP is still strong at ~30% market share, but the real question is: how much of that 30% is corporate? All corporate machines will move to Windows 7 either by May 2014 or at the very latest, the end of the year. Having an unsecured environment is simply not an option for most corporations.

I know my current company is still in the process of switching to Windows 7. We have ~2,000 people on site, and ~600 XP machines. Coincidentally, th

Right now probably isn't the best time to argue about XP users. Sure, XP is still strong at ~30% market share, but the real question is: how much of that 30% is corporate? All corporate machines will move to Windows 7 either by May 2014 or at the very latest, the end of the year. Having an unsecured environment is simply not an option for most corporations.

I know my current company is still in the process of switching to Windows 7. We have ~2,000 people on site, and ~600 XP machines. Coincidentally, that's right at the 0.30 mark, but it should be noted that we don't have a 1:1 people:computer ratio. I forget how many computers we have, but it's over 4,000.

From the website point of view, there's really no reason to hold out once Windows XP is phased out. All other systems can handle HTML 5(well, the systems with large enough market share to matter), which means all the website will have to do is put up a banner saying "You are missing the required plug-in, please click the following link to upgrade your browser." as opposed to "You are missing the required plug-in. Please click the following link to install flash."

Either way, it's one click, one download, and one install. People who are smart enough to install flash should also be smart enough to install a browser that supports HTML 5, even if they don't know what HTML 5 is or understand why their current browser can't support it.

Conversely, just because IE 6 or 8 has x% of market, doesn't mean all of those machines need or require flash.

Alternatively, other platforms that people are familiar with, like smart phones, consoles, tablets, are all HTML 5 compatible. If they get used to seeing HTML 5 features, like stopping a.gif, they'll get to a point where they need/severaly want that feature. That alone will drive them to update their desktop web browser.

Very little is corporate now. Most have already upgraded or in the final stages of phasing out the XP boxen from the internet all together.

The majority now are grandmas and Chinese with pirated copies with Windows Update disabled and IE 6 for the latter in Asia. Home users do not know any of this and are sitting ducks with no IT department to protect them.

I really wish MS would give a friendly polite warning to let them know support is ending soon and you have a few weeks to upgrade before security updates

Don't forget that because of the VistaBomb that XP was sold on laptops and netbooks as late as 2009 and needless to say many of those folks don't want to shell out $100+ just to fix MSFT's fuckup. Frankly I think everybody that bought a system with XP after the Vistabomb should be given a free copy of Win 7 Starter or Home as a Mea Culpa but I can't say as i blame 'em as for basic net surfing those netbooks and laptops still work just fine and shelling out $100 just because MSFT couldn't make Vista not suck

How far away are we from gaining a critical mass of website who don't necessarily need flash anymore, with the arrival of HTML 5? How long before the scale tips?

When most of the popular casual games are non-Flash.

Even knowing all the evils and dangers of Flash, if I for some reason were forced to stop using most websites and had to chose only a few to continue using, this [flasharcade.com] would be on that list of what to keep (I'm a tower defense game addict).

[Availability of mobile games] doesn't change anything when people are on their PC

The Android SDK includes a device emulator that lets the user use a mouse to generate touch events. But more importantly, any 2D Flash game can be recreated in HTML5 unless a developer expects a lot of players stuck on IE 8 with no privileges to install Chromium or Firefox, and with Windows XP becoming officially insecure in 61 days, that's set to decline rapidly. Cookie Clicker is HTML5, as are most of the incremental games inspired by it.

or don't have a large screen tablet with keyboard and mouse accessories (many games categories are not suitable for mobile screen, or touch).

Didn't we already pass critical mass? I uninstalled Flash from my system over a year ago and don't run into Flash very often these days. If you're using a Flash blocker, you may have an inflated sense of how many sites still rely on Flash, since many of them will detect that you have Flash installed and will attempt to serve up a Flash version of the page (which your blocker will then block). In contrast, if you outright uninstall Flash, they'll serve up a Flash-free version of the page.

Slashdot has taken the obvious next step and adopted Flash as the new interface for beta.slashdot.org [slashdot.org]! Adobe, the Industry leader of web technologies, hailed Dice Holdings, Inc. on their commitment to innovation and is in works with Dice to create a premium Dice Toolbar [TM] to further enhance the two companies' browsing authority.

While I totally agree, I was trying to be more pragmatic. I couldn't care less if a video I try to watch won't play in the HTML5 version (I will simply not watch it).. and I sincerely hope Zynga burns in hell. But all the other average users out there will keep depending on Flash while those companies don't offer HTML5 versions.

plug that same URL into, for example, an iPhone and an iPad and the desired content ALWAYS loads.

Not always. When I navigate to some YouTube videos on my first-generation Nexus 7 tablet, sometimes I get "The content owner has not made this video available on mobile. Add to playlist to watch it later on a PC." This is even more common on Vimeo.

Have you ever compare the two? Calling HTML V5 a "replacement" is like saying "Hey this Pentium D is a replacement for your i3 as they are both dual cores, right?". HTML V5 is a PIG, full stop. Its such a pig they have to resort to tricks like hardware acceleration to try to cover up how big a pig it actually is, try turning HA off and see what the difference is. You can watch DVD quality, even most 720p content on pretty much any PC made in the last decade using Flash and VP6 (which is probably what made G

Sigh, then I'll try to explain it very simply since you seem to have trouble following, mmmkay? Steve Jobs touted HTML V5 with H.26X (which he and Ballmer got together to push over webM, Dirac, Theora, or anything else you could have without patent trolling) as a suitable replacement for flash and IT SUCKS ASSHOLES, okay? It does NOT do the same jobs that Flash did, especially web animation and gaming (or pretty much any interactive content more complex than what JavaScript was doing half a decade ago) it s

It does NOT do the same jobs that Flash did, especially web animation and gaming

In what way? As far as gaming is concerned Stage3D and WebGL are very similar but native is further ahead as you can take advantage of specific platform and hardware features.

What has HTML V5 given us? It has given us a billion proprietary apps to allow the same content that before could have been accessed by any browser with Flash

But that would mean that you couldn't make use of any platform-specific features or hardware optimizations until Adobe added them to Flash, that's a horrible situation to be in. For example Stage3D does not support OpenGLES 3.0 but the iPhone5s does as does particular hardware on Android 4.3+. Not to mention there would be no consisten

As long as IE 8 is still supported webmasters will refuse to let flash die. Since they support IE 8 it gives no incentive to the corps for leaving IE 8 and it is a cycle all over again where IE 8 is the IE 6 of this freaking decade.

Also 5 years ago is when youtube first supported HTML 5 h.264 videos. Still to this day 50% of the videos wont work without flash. Sigh. Worse if you try to go in without it a big red banner saying "FLASH NEEDED". Ignorant computer u

That's a convienent position to take but sometimes you don't have a choice. VMware, for example, requires flash for their web client while at the same time removing functionality from their thick client. I can either take a philosophical stand or I can do my job.

That's a convienent position to take but sometimes you don't have a choice.

You know, I have yet to find more than a few places where I truly don't have a choice. And all of those are work-related and maybe only 2-3 times/year.

For those, my work laptop with IE is what gets used. But there is little else that I discover which uses that. Certainly nothing I voluntarily use for my own purposes -- my current desktop is 5+ years old and has never had Flash on it.

By VMware client, I actually meant Vsphere. Part of my job is managing the several hundred virtual servers that run a state wide law enforcement agency. VMWare hasn't updated their thick client to support all of the features in ESXi 5.5. To access those features and have passthrough authentication, you have to use Flash, and a windows based browser. Perhap the position you've chosen to take works for you, but If your only experience with VMWare is workstation then you're hardly an authority.

Perhap the position you've chosen to take works for you, but If your only experience with VMWare is workstation then you're hardly an authority.

LOL, oh god, I am most definitely not claiming to be an authority on VMWare (or anything else for that matter).

I'm saying that for me, in my experience with the web, Flash is useless crap that I have no interest in. That I've successfully avoided using it for most of the last decade tells me that, for me, it's hardly indispensable.

VMWare apparently wants more people to start paying for vSphere, so the ESXi 5.5 client supports basic features, but not the new stuff. Want that, you have to do a web client install, which means having vSphere up and running (and licensed.)

It's kind of funny that VMware seems to be pushing for less dependence on Windows, yet I think you need flash in your browser even if you want to use the web client that's part of the linux-based appliance.

Do you think your browser is secure? every Firefox and Chrome feature releases contain critical security fixes [mozilla.org] and I don't hear people giving them the same treatment Flash get. I am not a Flash fan, but It is not fair how browser vendors are not blamed too for their bugs with the same emotion people talk about other technologies. Every time a Slashdot post talk about a new browser release never mention the security bugs, only the nice things

Hell no. Which is precisely why I have Noscript, disable 3rd party cookies, use a hosts file to block stuff, don't have Flash installed on my machine, use Ghostery and several other things to block as much crap as possible.

I don't trust the interwebs at all -- which is precisely why I refuse to allow arbitrary code to be executed by any random web site I hit.

Do I think that I'm 100% secure as a result of that? Nope. Do I think I've minimized the risk by disabling/unins

If I -have- to use Flash, I fire up a VM that has a normal (no admin access) user account and run it under a sandboxed Web browser. That way, if/when an exploit happens, it would have to be a very good one to get out of the sandbox and a full context as a user, get Administrator rights, then bash the hypervisor to get out of that.

Not 100%, but it is easy to use, and when done, a closing of the VM rolls all changes back.

My sentiments exactly. One of the reasons I use Chrome: Don't have to install's Adobe's bloatware for Flash and/or PDFs. If a browser has security issues with plugins then you know there are bigger problems.:-)

I keep wondering how something on the limited scale of Flash could still have an ongoing stream of security issues after all these years. Is there something about its design that's just inherently unsecure?

Using a modern IE and Chrome is also a great defense. Firefox has no lowrights mode and is therefore not fully sandboxed even under a standard user account. As much as I prefer firefox as of late I can tell you from experience that those whose email accounts get hacked almost always use that browser. Hairyfeet mentioned this too in his journal with yahoomail sending out spam when browsing porn. Lowrights mode only works in Windows Vista or later so dump XP too if you need to be extra safe with extra kernel level sandboxing, ASLR, and additional DEP.

Chrome is nice in that its flash in Pepper has extra protection as well.I recommend flashblock. I can still watch videos on youtube. I just need to click on it.

Adblock plus gets rid of questionable advertiser networks too that are known to be hacked by Russian mob folks so that ad video for toothpaste may have malware in a buffer overflow.

I personally do not use noscript as this would kill the web. Without javascript it is not useful and a big fucking pain the in ass UAC style to enable for each site. Enabling it makes you vulnerable all over gain. But if you are willing to put up with it it does a lot too.

Of course run an AV product. I know those with a smile say they are proud not to run it but I bet you $$$ 90% are infected and have banking trojans and God knows what else. Avast and Avira do not use hardly any cpu cycles or slow disk. The days of crappy Norton 360 slowing your system down to a 386 level are done mostly.

The method to block Flash in IE is a bit hidden so I'll explain it here. Open the Gear Menu, go to Safety submenu and tick ActiveX Filtering. To whitelist certain sites, use the blue icon in the address bar.

Recommending any proprietary software to do any task is recommending a security hole. It's trivially easy for any proprietor to include code that spies on you, as computer programmers have long known and Edward Snowden has shown us again. No amount of experience running proprietary software will tell you what you need to know to fix its problems, share your fixes with others, hire others you have good reason to trust to fix problems on your behalf, or even allow someone you have good reason to trust to insp

I personally do not use noscript as this would kill the web. Without javascript it is not useful and a big fucking pain the in ass UAC style to enable for each site. Enabling it makes you vulnerable all over gain.

No, it doesn't. It's the difference between a toddler who puts everything into his mouth, and an adult who only puts food from the A-list into her mouth.

Granted, one can die from taking contaminated pill from a legitimate bottle of Tylenol. But generally one doesn't die from visiting name brand w

Man, and about those third-party gate crashers. Mind if I bring a friend? How about a friend of a friend? How about a friend of a friend of a friend of a friend? Don't worry, he won't do drugs [...] Does anyone who ever attended high school think this is a good security model?

User account control is pretty much useless in a single-user machine. It's a holdover from multi-user UNIX mainframes, where it perhaps worked, but we desperately need a good, convenient way to isolate individual programs and program instants run by the same user from each other. Maybe make every process run as a root of its own VM and only merge changes upstream when an upstream process requests it?

I know it is not cool to praise a Windows tidbit, but one interesting security benefit of Windows Vista and higher is it does tokens. Also lowrights mode as well with ACL. So in essence with UAC you send a token to wininet to run it on another account. With a standard account this is removed and you manually have to enter a password. This is useful for alot of XP and IE 6 related trojans that target users with a local admin account.

Just switching to a standard account even in XP hugely cuts down malware if

Yes by default it lets some non intrusive ads with a good security record. Follow the link above and it will disable all ads. I will let some in that I know that are safe to make sure websites get their bills paid. Just not ones that blast commercials and install malware.

Basically by default it filters the bad ads. However you can filter all ads if you wish and that option is there. I like this method as to reward SOME advertisement if done properly to support websites.

Also the bad guys can simply get another host so your hostfile will always be out of date.

Not even sure it would help not knowing how this exploit works, but I've tended to disable all plugins from running on page load, rather on demand when I click. Similar to NoScript/FlashBlock addons. You can then whitelist the sites that you want to allow have flash on load. http://lifehacker.com/5685352/... [lifehacker.com]
Wonder what percentage of exploits center around Flash / Acrobat. Thanks Adobe! If your not tricking me into installing unwanted toolbars your exposing my computer to malicious twats.

If you're referring to the use of "GNU/Linux" rather than just "Linux", I would guess the use of "GNU/Linux" was intended to contrast desktop Linux [pineight.com], for which this fix was released, with Android, for which support had been terminated even earlier.

It's simply a wrong comment. The NPAPI version of Flash is _NOT_ unsupported. 11.2 is the last version that will be made available as an NPAPI Linux plugin, but Adobe plans to keep fixing security issues in the 11.2 version plugin indefinitely.

Error Handling is one of the most annoying things to do in programming. Some people hate the whole exception handling mechanisms some languages have (be it for code elegance or performance), but I dread to think how to architecture system without those. Even with them it is still very annoying. I hope the next revolution in software engineering will probably be some more automatic way to handle errors, just like garbage collection was to memory handling.

Funny error handling and throwing an exception is the number 1 area used to 0wn Windows machines. The debugger will run the overflow at ring 0 everytime. It has been fixed for Windows 7 but IE 8 and XP you just need to crash IE to 0wn the system.

> I hope the next revolution in software engineering will probably be some more automatic way to handle errors, just like garbage collection was to memory handling.

That would be extremely nice; In the past I would of argued TINSTAAFL but now that 4-core 2.x GHz is starting to get common switching away from the fundamental root problem of "von Neumann architecture" might be an option. However I don't see anyone switching to the Harvard Architecture anytime soon which means yet another 40+ years of buff

However I don't see anyone switching to the Harvard Architecture anytime soon

Modern processors already run a "modified Harvard architecture" with separate instruction and data caches. A purist would not even allow code to be copied from storage into RAM. A strict W^X policy, such as that implemented in iOS, would ban any JIT engine. And besides, executing code from the stack or heap is old and busted; a newer practice is return-oriented programming [wikipedia.org], which uses the "return from subroutine" instruction as a threaded code interpreter. All code in a return-oriented program runs from exe

No software in common use today is mathematically proven to be correct; therefore, all software is buggy.

Absence of proof is not proof of absence. Yes, very little code can be mathematically proven to be correct, but there’s still some room for either getting lucky, or having enough skill to recognize the portions of the code which are exposed to outside control and exercising extreme care & diligence in crafting that code to ensure that it can safely respond to every possible input.

Are the browsers providing sufficient sandboxing, or is the situation the same as its been for the last 10 years? Does this flash vulnerability require another vulnerability in the browser ecosystem that has already been blocked in current versions?

Is Flash -designed- to be impossible to sandbox? Cannot the browser vendors force adobe to bend and setup their plugin to be easier to sandbox? I don't understand why this is still a problem after all these years.

Flash is native executable code. It’s not encumbered by any sandboxing function in the browser. That’s by design.

Browser plugins are intended to be allowed unfettered access to the system so that they can accomplish tasks not normally possible within a browser. The only sandbox provided by most browsers relates specifically to JavaScript, and as far as I can tell, this is unrelated to JavaScript at all.

It’s possible that an OS level sandbox beyond the browser (like OS X AppSandbox, Linux AppArmor, SELinux, etc.) might be able to contain an exploit within Flash, limiting it to a user account or a directory; but that would take some careful crafting in terms of OS sandbox configuration.

Then I guess exploits like these are the operating system publisher's fault for not exposing an API that lets a web browser program create and configure a suitable jail for its plug-ins.

Interesting. I just checked: the Flash bundled with my Chrome is the older version (but it's sandboxed to some extent). So then I opened up Firefox and checked the plugin version, and discovered it was already at the newest patched version. I don't recall any update, so I guess the Flash Player plugin updated itself in the background without me noticing, and actually managed to do that faster than Chrome did. Impressive!

It's pretty obvious that Flash has become one of those legacy products where there are only two guys in the entire company that know their way around the codebase. Both have developed chronic alcoholism from maintaining this disaster of a product for so long.

We need an alternative to Flash. An open source alternative which can be forked and maintained by anyone for years and years to come. Something without royalties, patents trademarks and is free to use and modify by whoever wants to and can be implemente

2) Start Cookie Clicker [dashnet.org], play for a while, hire a couple grandmas, open the menu, and click "Export save". What you see is a JavaScript prompt box, which your web application can create using code like the following. Try it now by copying it into your browser's JavaScript console:window.prompt("Copy this and paste it somewhere safe","Nobody desires pain for the sake of pain, but people endure it as part of seeking pleasure.");
One limit is that a prompt box does not support newlines; you'll need a custom

Let's just stop bagging on Adobe... At the least they are taking ownership of the issues they have

Are they? Have they run the Flash codebase through any of the half-dozen excellent source code analysis tools with a security team looking for undiscovered vulnerabilities? Are they being proactive at all?

It's closed source, so we don't know, but perhaps a third-party could certify their efforts and we really could become Adobe supporters.

They certainly seem to be willing to fix Bugs and Exploits made known to them from outside 3rd parties

There’s a word for that, and “proactive” isn’t the word. Close, but off by three letters.

I certainly can’t prove they haven’t taken these steps, but considering Microsoft made a BigThing years ago when they sent all their developers to security school and focused on Windows security (for what that was worth), you’d think Adobe might also want to highlight the fact

I've seen 3D engines in Flash running on machines for which get.webgl.org displays only "Hmm. While your browser seems to support WebGL, it is disabled or unavailable. If possible, please ensure that you are running the latest drivers for your video card." The latest versions of Internet Explorer and Safari don't support cameras at all [caniuse.com] without Flash, and it's prefix hell on every other browser, meaning each web application has to be written once using "-moz" prefix for Firefox and once using "-webkit" prefi